Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method comprising: entering, by a computing device, a Unified Extensible Firmware Interface (UEFI) environment upon powering on the computing device; while in the UEFI environment: restricting, by the computing device, booting of an operating system of the computing device; accessing, by the computing device and from a trusted platform module of the computing device, a certificate corresponding to a particular user; sending, by the computing device, a verification request to a server system over a communication network, the verification request being generated based on the certificate; and receiving, by the computing device, a verification response from the server system over the communication network, the verification response confirming authorization for the particular user corresponding to the certificate; and in response to receiving the verification response: initiating, by the computing device, a communication session based on confirming authorization for the particular user, enabling, by the computing device, the operating system to boot, and passing, by the computing device, the communication session to the operating system such that the operating system continues the communication session after the operating system is enabled to boot.
This invention relates to secure computing device boot processes using UEFI (Unified Extensible Firmware Interface) and trusted platform modules (TPM). The problem addressed is ensuring secure authentication and authorization of users before allowing a computing device to boot into its operating system, preventing unauthorized access. Upon powering on, the computing device enters a UEFI environment, where it restricts the booting of the operating system. The device accesses a certificate stored in its TPM, which corresponds to a specific user. The device then sends a verification request to a remote server over a network, using the certificate as part of the request. The server processes the request and returns a verification response confirming the user's authorization. Upon receiving this response, the device initiates a secure communication session, enables the operating system to boot, and passes the communication session to the operating system. This allows the operating system to continue the session after booting, ensuring that only authorized users can access the system. The method enhances security by verifying user credentials before the operating system loads, reducing the risk of unauthorized access.
2. The method of claim 1 , wherein: the trusted platform module stores a secure address for the server system; and sending the verification request to the server system comprises: determining an address to send the verification request based on the secure address stored in the trusted platform module, and sending the verification request to the secure address for the server system.
This invention relates to secure communication between a computing device and a server system using a trusted platform module (TPM). The problem addressed is ensuring secure and authenticated communication between a device and a server, particularly in environments where network addresses may be dynamic or subject to tampering. The invention involves a method for verifying the authenticity of a server system by a computing device. The trusted platform module (TPM) within the computing device stores a secure address for the server system, which is used to establish a trusted communication channel. When the computing device needs to send a verification request to the server system, it retrieves the secure address from the TPM rather than relying on potentially vulnerable or dynamic network configurations. The TPM ensures that the address used for communication is authentic and has not been altered or compromised. The verification request is then sent to the secure address stored in the TPM, ensuring that the communication is directed to the legitimate server system. This approach enhances security by preventing man-in-the-middle attacks or address spoofing, as the TPM acts as a trusted source for the server's address. The method is particularly useful in environments where network configurations may change or where devices need to verify the authenticity of remote systems before exchanging sensitive data.
3. The method of claim 1 , while in the UEFI environment, the method further comprises: initiating the communication session by entering a virtual private network session; and passing the communication session to the operating system by passing the virtual private network session to the operating system such that the operating system continues the virtual private network session after the operating system is enabled to boot.
This invention relates to secure communication session management during the boot process of a computing device, specifically within the Unified Extensible Firmware Interface (UEFI) environment. The problem addressed is ensuring secure and uninterrupted communication sessions, such as virtual private network (VPN) connections, during the transition from the UEFI firmware to the operating system (OS) after boot. The method involves initiating a communication session within the UEFI environment by establishing a VPN session. This session is then passed to the operating system, allowing the OS to continue the VPN session once it is fully booted. This ensures that the secure communication channel remains active throughout the boot process, preventing disruptions that could occur if the session were reestablished by the OS. The technique leverages the UEFI environment's capabilities to handle secure connections before the OS takes over, providing a seamless transition and maintaining security from the earliest stages of the boot process. This is particularly useful in environments where continuous secure connectivity is critical, such as remote management, secure data access, or enterprise systems requiring persistent VPN access.
4. The method of claim 1 , further comprising: receiving, by the computing device, a proof of identity of the particular user; verifying the proof of identity of the particular user; and enabling the operating system to boot based on verifying the proof of identity of the particular user.
A system and method for secure computing device authentication involves verifying a user's identity before allowing the operating system to boot. The technology addresses security risks in computing environments where unauthorized access can lead to data breaches or system compromise. The method includes receiving a proof of identity from a user, such as biometric data, a password, or a cryptographic token, and verifying this proof against stored credentials. Upon successful verification, the operating system is permitted to proceed with the boot process. This ensures that only authenticated users can access the system, preventing unauthorized booting and enhancing device security. The method may also involve additional authentication steps, such as multi-factor verification, to further strengthen security. By integrating identity verification into the boot sequence, the system mitigates risks associated with physical theft or unauthorized access attempts. The approach is applicable to personal computers, servers, and other computing devices where secure access control is critical.
5. The method of claim 4 , wherein verifying the proof of identity of the particular user comprises verifying at least one of: a personal identification number (PIN) provided by the particular user; a username and password combination provided by the particular user; biometric data of the particular user; or proximity of one or more trusted devices of the particular user.
This invention relates to user authentication systems, specifically methods for verifying the identity of a user in a secure manner. The problem addressed is ensuring reliable and flexible authentication to prevent unauthorized access while accommodating different user preferences and security levels. The method involves verifying a user's identity by checking at least one of several authentication factors. These include a personal identification number (PIN) entered by the user, a username and password combination, biometric data such as fingerprints or facial recognition, or the proximity of one or more trusted devices associated with the user. The system may require one or more of these factors to confirm identity, depending on the security requirements of the application. This multi-factor approach enhances security by reducing reliance on a single authentication method, making unauthorized access more difficult. The method is particularly useful in applications where high security is needed, such as financial transactions, access control systems, or sensitive data management. By supporting multiple verification methods, the system provides flexibility while maintaining robust security.
6. The method of claim 1 , wherein the verification response indicates that (i) an authorization issued to a user is valid and has not expired, and (ii) use of the authorization is not presently restricted by an authorization policy.
This invention relates to systems for verifying the validity and unrestricted use of digital authorizations, such as tokens or credentials, in access control environments. The problem addressed is ensuring that an authorization remains valid, has not expired, and complies with current authorization policies before granting access to a resource. Existing systems may fail to dynamically check both expiration status and policy restrictions, leading to unauthorized access or service disruptions. The method involves generating a verification response that confirms two key conditions: first, that an authorization issued to a user is currently valid and has not expired; and second, that the use of the authorization is not restricted by any applicable authorization policy. The verification process dynamically evaluates these conditions against real-time data, ensuring that access decisions are based on the latest authorization state. This approach prevents expired or policy-restricted authorizations from being used, enhancing security and compliance. The method may be integrated into authentication systems, API gateways, or identity management platforms to enforce access controls. By combining expiration checks with policy validation, the invention provides a robust mechanism for maintaining secure and compliant access to digital resources.
7. The method of claim 6 , wherein the authorization policy specifies a particular time frame during which use of the authorization is restricted.
This invention relates to systems for managing authorization policies, particularly in digital environments where access control is required. The problem addressed is the need to enforce time-based restrictions on authorization permissions, ensuring that access to resources or services is only granted during specific, predefined time periods. This is critical for security, compliance, and operational efficiency in environments where access must be dynamically controlled. The method involves defining an authorization policy that includes a time frame restriction. This policy is applied to a user, device, or system component, limiting when the associated authorization can be used. The time frame may be a recurring schedule (e.g., business hours) or a one-time window. The system checks the current time against the policy's time frame before granting access, ensuring compliance with the restriction. This approach prevents unauthorized access outside the allowed period, enhancing security and reducing the risk of misuse. The method may also integrate with broader access control mechanisms, such as role-based or attribute-based systems, to further refine authorization decisions. By combining time-based restrictions with other policy conditions, the system provides granular control over access permissions. This is particularly useful in environments like enterprise networks, cloud services, or IoT systems where dynamic access management is essential. The invention ensures that authorization policies adapt to temporal constraints, improving security and operational flexibility.
8. The method of claim 6 , wherein: the method further comprises obtaining, by the computing device, context data associated with the computing device upon powering on the computing device; and the verification response confirms that the context data associated with the computing device satisfies the authorization policy.
A computing device verifies its operational context against an authorization policy during power-on to ensure secure and authorized operation. The method involves obtaining context data from the device upon powering on, which may include hardware identifiers, firmware versions, network configurations, or other environmental factors. This context data is then compared against predefined authorization policies stored in the device or a remote server. The verification process generates a response confirming whether the context data meets the policy requirements. If the context data does not satisfy the policy, the device may restrict certain operations, trigger security measures, or prevent full system activation. This approach enhances security by ensuring the device operates only under authorized conditions, mitigating risks from unauthorized modifications or tampering. The method is particularly useful in environments where device integrity and compliance with security policies are critical, such as enterprise networks or regulated industries. The context data may be collected from various sources, including hardware sensors, firmware logs, or network interfaces, and the verification process can involve cryptographic checks or policy-based evaluations to ensure accuracy and reliability.
9. The method of claim 1 , wherein: while in the UEFI environment, the method further comprises: determining, by the computing device, that the computing device is unable to connect to the communication network; in response to determining that the computing device is unable to connect to the communication network, accessing by the computing device and from the trusted platform module, a limited certificate corresponding to the particular user; and enabling, by the computing device, the operating system to boot in a limited configuration such that the operating system restricts network access on the computing device after the operating system logs in the particular user.
A computing device in a UEFI (Unified Extensible Firmware Interface) environment may encounter issues connecting to a communication network, such as during initial setup or after a network failure. This problem can prevent the device from accessing necessary authentication certificates stored remotely, which are typically required for full system boot and user login. To address this, the device checks its connection status in the UEFI environment. If no network connection is detected, the device retrieves a limited certificate from the trusted platform module (TPM), a hardware-based security feature. This certificate is pre-stored and associated with a specific user. The device then boots the operating system in a restricted mode, allowing the user to log in but enforcing limitations on network access. This ensures basic functionality while maintaining security, even without an active network connection. The limited configuration may restrict certain applications or services that require network access, preventing potential security risks while still allowing the user to perform essential tasks. This approach provides a fallback mechanism for authentication and system access when network connectivity is unavailable.
10. The method of claim 9 , further comprising: after enabling the operating system to boot in the limited configuration, providing, by the computing device, identify verification data specifying the limited certificate to one or more applications running on the operating system such that one or more applications logs in the particular user without requiring proof of identity.
This invention relates to secure computing systems, specifically methods for enabling an operating system to boot in a limited configuration while allowing user authentication without requiring proof of identity. The problem addressed is ensuring system usability in restricted environments where full authentication mechanisms may be unavailable or impractical, such as during recovery or maintenance operations. The method involves booting a computing device in a limited configuration where only essential system functions are active. After booting, the device provides identity verification data to applications running on the operating system. This verification data specifies a limited certificate, which allows one or more applications to log in a particular user without requiring additional proof of identity. This streamlines access in scenarios where traditional authentication methods are bypassed or disabled, ensuring operational continuity while maintaining a controlled security posture. The limited configuration restricts system functionality to prevent unauthorized access or actions, while the identity verification data ensures that authorized users can still interact with critical applications without manual authentication steps. This approach balances security and usability in constrained environments.
11. The method of claim 1 , wherein the verification request comprises at least a device identifier of the computing device stored within the trusted platform module and a user identifier for with the particular user.
A system and method for secure device verification involves a computing device equipped with a trusted platform module (TPM) to authenticate the device and a user. The method addresses the problem of ensuring secure access to computing resources by verifying both the device and the user identity. The verification process begins with a request that includes a device identifier stored within the TPM and a user identifier associated with the particular user. The TPM generates a cryptographic proof of the device's integrity and authenticity, which is then combined with the user identifier to create a secure verification token. This token is transmitted to a remote verification server, which validates the device's identity and the user's authorization. The system ensures that only trusted devices and authorized users can access sensitive resources, mitigating risks of unauthorized access or device tampering. The method leverages hardware-based security features of the TPM to enhance trust in the verification process, providing a robust solution for secure authentication in computing environments.
12. A system comprising: one or more computers; and one or more storage devices storing instructions that, when executed by the one or more computers, cause the one or more computers to perform operations comprising: entering, by a computing device, a Unified Extensible Firmware Interface (UEFI) environment upon powering on the computing device; while in the UEFI environment: restricting, by the computing device, booting of an operating system of the computing device; accessing, by the computing device and from a trusted platform module of the computing device, a certificate corresponding to a particular user; sending, by the computing device, a verification request to a server system over a communication network, the verification request being generated based on the certificate; and receiving, by the computing device, a verification response from the server system over the communication network, the verification response confirming authorization for the particular user corresponding to the certificate; and in response to receiving the verification response: initiating, by the computing device, a communication session based on confirming authorization for the particular user, enabling, by the computing device, the operating system to boot, and passing, by the computing device, the communication session to the operating system such that the operating system continues the communication session after the operating system is enabled to boot.
This system enhances computing device security by integrating a trusted platform module (TPM) with a server-based authentication process during the boot sequence. The technology addresses the vulnerability of unauthorized access to computing devices by enforcing user verification before allowing the operating system to boot. Upon powering on, the device enters a Unified Extensible Firmware Interface (UEFI) environment, where it restricts the operating system from booting. The device then accesses a user-specific certificate stored in the TPM and sends a verification request to a server over a network. The server evaluates the request and, if the user is authorized, sends a confirmation response. Upon receiving this response, the device initiates a secure communication session, enables the operating system to boot, and passes the session to the operating system, allowing it to continue the session after booting. This ensures that only authorized users can access the device, mitigating risks of unauthorized access during the boot process. The system leverages hardware-based security (TPM) and remote authentication to provide a robust security framework.
13. The system of claim 12 , wherein: the trusted platform module stores a secure address for the server system; and sending the verification request to the server system comprises: determining an address to send the verification request based on the secure address stored in the trusted platform module, and sending the verification request to the secure address for the server system.
This invention relates to secure communication systems, specifically addressing the challenge of verifying the authenticity of a server system in a trusted computing environment. The system includes a trusted platform module (TPM) that securely stores a verified address for the server system. When a verification request is sent to the server system, the system determines the address to use based on the secure address stored in the TPM, ensuring that the request is sent only to the authenticated server. This prevents man-in-the-middle attacks and ensures that communications are directed to the legitimate server. The TPM acts as a hardware-based security module that provides cryptographic functions and secure storage, enhancing the overall security of the system. The secure address stored in the TPM is used to verify the server's identity before establishing a connection, ensuring that the communication channel is secure and trusted. This approach mitigates risks associated with unauthorized or compromised server addresses, providing a robust mechanism for secure server verification in computing environments.
14. The system of claim 12 , wherein, while in the UEFI environment, the operations further comprise: initiating the communication session by entering a virtual private network session; and passing the communication session to the operating system by passing the virtual private network session to the operating system such that the operating system continues the virtual private network session after the operating system is enabled to boot.
This invention relates to secure communication systems for computing devices, specifically addressing the challenge of maintaining a secure communication session during the transition from a pre-boot environment to a fully booted operating system. The system enables a computing device to establish a secure communication session, such as a virtual private network (VPN) connection, while in the Unified Extensible Firmware Interface (UEFI) environment before the operating system is fully loaded. This ensures that the device can securely communicate with remote servers or networks even during the early stages of the boot process, reducing exposure to potential security threats. The system initiates the VPN session within the UEFI environment and seamlessly transfers this session to the operating system once it is enabled to boot. This transfer allows the operating system to continue the VPN session without interruption, maintaining a secure connection throughout the boot process. The invention improves security by ensuring that all communications, including those during the boot phase, are encrypted and protected. This is particularly useful for devices that require high levels of security, such as enterprise systems, government devices, or IoT devices that need to communicate securely from the moment they are powered on.
15. The system of claim 12 , wherein the operations further comprise: receiving, by the computing device, a proof of identity of the particular user; verifying the proof of identity of the particular user; and enabling the operating system to boot based on verifying the proof of identity of the particular user.
A system for secure device authentication involves a computing device that verifies a user's identity before allowing the operating system to boot. The system includes a secure enclave or trusted execution environment that performs cryptographic operations to authenticate the user. During the boot process, the computing device receives a proof of identity from the user, such as a biometric scan, password, or hardware token. The system then verifies this proof against stored credentials or biometric data. If the verification is successful, the operating system is permitted to proceed with booting. This ensures that only authorized users can access the device, preventing unauthorized access even before the operating system fully loads. The system may also integrate with hardware-based security modules to enhance protection against tampering or spoofing. The approach improves security by enforcing authentication at an early stage of the boot process, reducing vulnerabilities to attacks that target the pre-boot environment.
16. One or more non-transitory computer-readable storage devices encoded with computer program instructions that, when executed by one or more computers, cause the one or more computers to perform operations comprising: entering, by a computing device, a Unified Extensible Firmware Interface (UEFI) environment upon powering on the computing device; while in the UEFI environment: restricting, by the computing device, booting of an operating system of the computing device; accessing, by the computing device and from a trusted platform module of the computing device, a certificate corresponding to a particular user; sending, by the computing device, a verification request to a server system over a communication network, the verification request being generated based on the certificate; and receiving, by the computing device, a verification response from the server system over the communication network, the verification response confirming authorization for the particular user corresponding to the certificate; and in response to receiving the verification response: initiating, by the computing device, a communication session based on confirming authorization for the particular user, enabling, by the computing device, the operating system to boot, and passing, by the computing device, the communication session to the operating system such that the operating system continues the communication session after the operating system is enabled to boot.
This invention relates to secure computing device boot processes using a Unified Extensible Firmware Interface (UEFI) environment. The problem addressed is ensuring that only authorized users can boot and access a computing device, preventing unauthorized access during startup. The solution involves a computing device that, upon powering on, enters a UEFI environment where it restricts the booting of the operating system. The device accesses a certificate corresponding to a particular user from a trusted platform module (TPM) and sends a verification request to a server system over a communication network. The request is generated based on the certificate. The server system responds with a verification response confirming the user's authorization. In response to receiving this confirmation, the computing device initiates a communication session, enables the operating system to boot, and passes the communication session to the operating system, allowing it to continue the session after booting. This ensures that the device only boots and operates for authorized users, enhancing security during the startup process. The system leverages hardware-based security features like the TPM and network-based authentication to verify user identity before allowing system access.
17. The one or more non-transitory computer-readable storage devices of claim 16 , wherein: the trusted platform module stores a secure address for the server system; and sending the verification request to the server system comprises: determining an address to send the verification request based on the secure address stored in the trusted platform module, and sending the verification request to the secure address for the server system.
This invention relates to secure communication between a computing device and a server system, addressing the need for trusted and tamper-proof verification processes. The system includes a trusted platform module (TPM) that securely stores a server system's address, ensuring the integrity and authenticity of the communication endpoint. When a verification request is sent to the server system, the computing device retrieves the secure address from the TPM rather than relying on potentially vulnerable or modifiable storage locations. This ensures that the request is directed to the correct and authorized server, mitigating risks of man-in-the-middle attacks or redirection to malicious endpoints. The TPM acts as a hardware-based root of trust, providing cryptographic assurance that the stored address has not been altered. The system enhances security by preventing unauthorized modifications to the server address, thereby maintaining the integrity of the verification process. This approach is particularly useful in environments where secure authentication and data exchange are critical, such as financial transactions, enterprise networks, or IoT device management. The invention ensures that verification requests are sent to the intended and verified server system, reducing the risk of interception or spoofing.
18. The one or more non-transitory computer-readable storage devices of claim 16 , wherein, while in the UEFI environment, the operations further comprise: initiating the communication session by entering a virtual private network session; and passing the communication session to the operating system by passing the virtual private network session to the operating system such that the operating system continues the virtual private network session after the operating system is enabled to boot.
This invention relates to secure communication session management in computing systems, specifically during the transition from the Unified Extensible Firmware Interface (UEFI) environment to the operating system (OS). The problem addressed is ensuring secure communication continuity when transitioning from UEFI to the OS, particularly for virtual private network (VPN) sessions. In UEFI environments, secure communication sessions like VPNs are often initiated before the OS fully boots, but these sessions may be disrupted during the transition. The invention provides a method to maintain VPN sessions seamlessly by initiating the VPN session in the UEFI environment and passing it to the OS, allowing the OS to continue the session after booting. This ensures that the VPN connection remains active and secure throughout the system startup process, preventing interruptions or security gaps. The solution involves specialized firmware and OS components that facilitate the handoff of the VPN session, ensuring that the session parameters and security context are preserved. This approach is particularly useful in enterprise or high-security environments where uninterrupted VPN connectivity is critical. The invention may also include additional security measures to verify the integrity of the session during the transition.
19. The one or more non-transitory computer-readable storage devices of claim 16 , wherein the operations further comprise: receiving, by the computing device, a proof of identity of the particular user; verifying the proof of identity of the particular user; and enabling the operating system to boot based on verifying the proof of identity of the particular user.
A system for secure computing device booting verifies user identity before allowing the operating system to start. The system includes a computing device with a processor and non-transitory computer-readable storage devices containing instructions. The instructions, when executed, perform operations to receive a proof of identity from a particular user, verify the proof of identity, and enable the operating system to boot only after successful verification. This ensures that unauthorized users cannot access the device by preventing the operating system from loading without proper authentication. The proof of identity may include biometric data, passwords, or other authentication factors. The system enhances security by integrating identity verification directly into the boot process, reducing the risk of unauthorized access to sensitive data or system functions. The computing device may be a laptop, desktop, server, or other electronic device requiring secure access control. The verification process ensures that only authorized users can initiate the boot sequence, protecting the device from unauthorized use.
20. The method of claim 1 , further comprising, in response to receiving the verification response, providing, by the computing device, identity verification data for the particular user to the operating system such that the operating system logs in the particular user without requiring further proof of identity for the particular user.
This invention relates to user authentication systems, specifically methods for streamlining identity verification during login processes. The problem addressed is the inefficiency and inconvenience of repeated identity verification steps when a user attempts to access a computing device or system. Traditional systems often require multiple authentication steps, even after initial verification, leading to delays and user frustration. The method involves a computing device receiving a verification request for a particular user. The device then sends this request to an identity verification service, which processes the request and returns a verification response. Upon receiving this response, the computing device provides identity verification data directly to the operating system. This data allows the operating system to log in the user automatically, eliminating the need for further proof of identity. The system ensures secure and seamless access by leveraging pre-verified identity data, reducing redundant authentication steps while maintaining security. This approach is particularly useful in environments where multiple logins or system access points are required, such as enterprise networks or multi-application platforms. The method enhances user experience by minimizing interruptions while ensuring that authentication remains robust.
Unknown
December 1, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.